Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support

--- "Timothy R. Chavez" <chavezt(a)gmail.com&gt; wrote: That is not what I would expect from an object standpoint. I specified the object that I wanted to watch and the rename did not change the object. For this argument to make sense you would have to keep an eye out /home/casey/viruses reappearing in the namespace and marking it for audit. casey% mv viruses fuzzybunnys casey% mv fuzzybunnys viruses should not disassociate the audit watch. Make no mistake. The stated and genuine purpose of an audit trail is to track the changes to the security state of the system and the access control decisions made by the system. This requires that it be 100% unambiguous what it means to specify a watched object. The issue here is that the file system name space you are using to specify what object to watch can be changed within the system security policy by unprivileged users in such a way as to disassociate the watch. Your mechanism is unreliable. If, on the other hand, you said # watch dev=8,9 inode=8776 that would be reliable, unambiguous, and painful. If you want to audit by pathname attaching the audit watch to the inode is not right because the two are not connected in any real way. ===== Casey Schaufler casey(a)schaufler-ca.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com